# Security

## External domain whitelisting:

You can whitelist specific domains in order to allow only specific external sources to be requested. In addition, you can combine Domain whitelisting with Aliases to send custom headers to a non-public external storage for authentication purposes.

In order to set the whitelisting configuration for a specific domain, you need to have an Owner, Admin, Manager or Developer [User Role](https://docs.scaleflex.com/vxp-visual-experience-platform/settings/organisation/users/users#user-role) and to go to Settings > Optimization > Delivery > (tab) Security.

Then click on `+ Add domain` and enter the domain name that you would like to whitelist without the https\://- part:

<figure><img src="https://2536208400-files.gitbook.io/~/files/v0/b/gitbook-x-prod.appspot.com/o/spaces%2Fqsq2dR7Fjagf5eTifWZx%2Fuploads%2FOpxMeiddMvKpPbPHT5ow%2Fimage.png?alt=media&#x26;token=effebb41-1958-4d2d-9493-62f64cc1c054" alt=""><figcaption></figcaption></figure>

In the example above, domain `sample.li` is whitelisted. Which means that if we try to process an image with any other domain except `sample.li`(eg: [www.your-own-domain.com](http://www.your-own-domain.com)), the system will return an error status code 406 (Not Acceptable).

If you prefer, this response can be changed to HTTP 404 (Default missing image).

<figure><img src="https://2536208400-files.gitbook.io/~/files/v0/b/gitbook-x-prod.appspot.com/o/spaces%2Fqsq2dR7Fjagf5eTifWZx%2Fuploads%2FuKqKqWDgjiLaEwjkMOtc%2Fimage.png?alt=media&#x26;token=1a55714d-2091-47e1-8119-1a508fabac47" alt=""><figcaption></figcaption></figure>

Aliases are also supported. In case you have set a [Standard](https://docs.scaleflex.com/dynamic-media-optimization-dmo/settings/url-format#aliases) or a [Storage](https://docs.scaleflex.com/dynamic-media-optimization-dmo/settings/asset-origin) alias, you can add it as a value (eg: `_myalias_`) in the list of Whitelisted domains.